=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN415
_____________________________________________________________________

DATE                      : 18/10/2010

HARDWARE PLATFORM(S)      : Blue Coat ProxySG.

OPERATING SYSTEM(S)       : Blue Coat SGOS.

======================================================================
https://kb.bluecoat.com/index?page=content&id=SA48
______________________________________________________________________

Security Advisories
October 15, 2010 - JavaScript detection improvements in active content
transformation


Security Advisories ID:	  	SA48
Version:	  	8.0
Status:	  	Published
Published date:	  	10/01/2010
Updated:	  	10/15/2010
Applies To:	  	SGOS 5, SGOS 4, ProxySG, SGOS 6

Advisory Status
Interim

Advisory Severity
Medium, CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE Number
No CVEs are associated with this vulnerability.

Summary
The Active Content Transformation or Removal feature of ProxySG does not
detect JavaScript when encoded using hex and UTF-8 entities.  This allows
an attacker to bypass the policy rules configured in ProxySG to deliver
malicious content.

Affected Products
All versions of ProxySG are vulnerable.

Details
Malicious scripts are commonly encoded in web pages and run without a
user's knowledge.  ProxySG can be configured to supplement virus scanning
of Web content by detecting and removing the HTML tags that launch active
content such as Java applets or scripts.  In addition the removed content
can be replaced with predefined material, also called active content
transformation.

ProxySG can detect three types of JavaScript active content:

Anything within the <script></script> tags.
JavaScript events within HTML attributes with onEventName names (e.g., onClick, onLoad).
JavaScript within HTML attribute values using the javascript: URI scheme.

Vulnerable SGOS versions only detect these tags and attributes encoded in ASCII.
Tags and attributes encoded in other formats will elude detection.

SGOS has been fixed to provide better detection of JavaScript active content
within an HTML document.  SGOS will now detect tags and attributes encoded using
hex and UTF-8 entities, and when formatting characters such as newlines and tabs
are used.  This update will allow ProxySG to remove or replace more instances
of JavaScript that had previously not been detected.

Workarounds
Malicious active content is difficult to distinguish from legitimate active content.
ProxySG active content transformation and removal is designed to supplement WebPulse,
virus scanners, and browser protections that detect and prevent malicious active content.
Customers are encouraged to employ multiple layers of protection to achieve the best
results.

Patches
ProxySG 6.1 - not yet available.

ProxySG 5.5 - not yet available.

ProxySG 5.4 - a fix is available in patch release 5.4.5.1.  The fix is
available to customers with a valid BlueTouch Online login from
bto.bluecoat.com/download/patch/65157143683264366202640664616477.

ProxySG 5.3 - please upgrade to a later version.

ProxySG 4.3 - not yet available.

Advisory History
2010-10-15 Initial public release.



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================